Foundation LAB 2 DMVPN with IOU/IOL

Hi all,

Anyone here knows some bug in DMVPN with IOU/IOL.

 

I have everything set up as the requirements and the solution, but for some reason when I enable the DMVPN VRF either of the tunnel subnets works.

I made some test's with and without VRF, and the issue happens when I apply the vrf in the tunnel interfaces.

1- 

First issue was when I tried to ping locally from R7 to R8 I did debug packet detail ping vrf DMVPN 156.192.78.8, and I observed that packets was sourced from tunnel17 ip addr.

I did ping vrf DMVPN 156.192.78.8 source tunnel78 and also did not work.

The reverse ping worked from R8 to R7 in tunnel 78, debugs showed source from vlan 68 in R8.

2 - 

I deleted everything and created tunnel78 first between R7 and R8 and now the solution works fine for both routers.

Afterwards I added config from 7 and 1 and now the error is encasulation failed.

 

*Jun  9 18:46:49.067: FIBfwd-proc: sending link IP ip_pak_table 1 ip_nh_table 65535 if Tunnel17 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0

*Jun  9 18:46:49.067: IP: s=156.192.17.1 (Tunnel17), d=156.192.17.7 (Tunnel17), g=156.192.17.7, len 100, forward

*Jun  9 18:46:49.067:     ICMP type=8, code=0

*Jun  9 18:46:49.067: IP: s=156.192.17.1 (Tunnel17), d=156.192.17.7 (Tunnel17), len 100, encapsulation failed

*Jun  9 18:46:49.067:     ICMP type=8, code=0

 

One intersting thing I did was:

R7(config)#ip route 156.192.17.1 255.255.255.255 tunnel 17

And the ping now works in VRF, but the opposite direction not (from R1 to R7).

 

R1#ping vrf DMVPN 156.192.17.7 rep 2

Type escape sequence to abort.

Sending 2, 100-byte ICMP Echos to 156.192.17.7, timeout is 2 seconds:

..

Success rate is 0 percent (0/2)

Take a look:

 

R1#show ip cef vrf DMVPN 156.192.17.7 internal

156.192.17.7/32, epoch 0, flags attached, refcount 5, per-destination sharing

  sources: Adj

  feature space:

   IPRM: 0x0003000C

  subblocks:

   Adj source: IP midchain out of Tunnel17, addr 156.192.17.7 051387E8

    Dependent covered prefix type adjfib, cover 156.192.17.0/24

  ifnums:

   Tunnel17(17): 156.192.17.7

  path 0455FB60, path list 02A26F64, share 1/1, type adjacency prefix, for IPv4

  attached to Tunnel17, adjacency IP midchain out of Tunnel17, addr 156.192.17.7 051387E8

  output chain: IP midchain out of Tunnel17, addr 156.192.17.7 051387E8 IP adj out of Ethernet1/1.121, addr 156.1.121.21 05138918

R1#


It seems like a bug because everything is setup like the solution of the workbook v5.



The last tshoot is:



R1#clear ip route *

R1#clear ip route vrf

R1#clear ip route vrf DMVPN *

R1#show ip cef vrf DMVPN 156.192.17.7 internal

156.192.17.7/32, epoch 0, flags attached, refcount 5, per-destination sharing

  sources: Adj

  subblocks:

   Adj source: IP midchain out of Tunnel17, addr 156.192.17.7 051387E8

    Dependent covered prefix type adjfib, cover 156.192.17.0/24

  ifnums:

   Tunnel17(17): 156.192.17.7

  path 0455FD90, path list 02A270F4, share 1/1, type adjacency prefix, for IPv4

  attached to Tunnel17, adjacency IP midchain out of Tunnel17, addr 156.192.17.7 051387E8

  output chain: IP midchain out of Tunnel17, addr 156.192.17.7 051387E8 IP adj out of Ethernet1/1.121, addr 156.1.121.21 05138918

R1#ping vrf DMVPN 156.192.17.7 rep 2

Type escape sequence to abort.

Sending 2, 100-byte ICMP Echos to 156.192.17.7, timeout is 2 seconds:

..

Success rate is 0 percent (0/2)

R1#




inverse direction working:



R7#clear ip route ?

  *          Delete all routes

  A.B.C.D    Destination network route to delete

  dhcp       Delete route added by DHCP Server or Relay

  multicast  Multicast global information

  topology   Clear routes for a topology instance

  vrf        Clear routes for a VPN Routing/Forwarding instance


R7#clear ip route vrf DMVPN

% Incomplete command.


R7#clear ip route vrf DMVPN ?

  *        Delete all routes

  A.B.C.D  Destination network route to delete

  dhcp     Delete route added by DHCP Server or Relay


R7#clear ip route vrf DMVPN *

R7#ping vrf DMVPN 156.192.17.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 156.192.17.1, timeout is 2 seconds:

!!!!!




I remember I had some issues at workbook 1 v5 with IOU/IOL intermittent, sometimes I had to do shut / no shut and the tunnel came back to the normal operation. 



I can ping between the transport IP´s from this DMVPN solution.

Comments

  • JoeMJoeM ✭✭✭

    ...It seems like a bug because everything is setup like the solution of the workbook v5...

    No bug.  I have done this a lot in iou and gns3  It is a simple setup.

    Can you give the tunnel configs.  I never trust "my solution matches the workbook solution".  We all make mistakes.  Sometimes they are simple little typos or a missing command line.

    ...sometimes I had to do shut / no shut and the tunnel came back to the normal operation....

    This is normal.  When changing a tunnel config, get in the habit of doing a "shut/no shut" on the tunnel interface, in order to reinitiate the tunnels.

    note:  If this was placed under the sub-form heading (foundation lab 2), others can leverage the information for the next couple of years.  Quite often, the same mistakes repeat themselves between candidates.   I have been saved many times by the threads of alumni candidates.

     

     

     

  • Hi Joe, the config follows:

     

    !

    interface Tunnel17

     vrf forwarding DMVPN

     ip address 156.192.17.1 255.255.255.0

     no ip redirects

     ip nhrp authentication PRIVATE

     ip nhrp map multicast dynamic

     ip nhrp network-id 17

     tunnel source Ethernet0/1.57

     tunnel mode gre multipoint

     tunnel key 17

    end

     

    R7#show run int tunnel78

    Building configuration...

     

    Current configuration : 263 bytes

    !

    interface Tunnel78

     vrf forwarding DMVPN

     ip address 156.192.78.7 255.255.255.0

     no ip redirects

     ip nhrp authentication PRIVATE

     ip nhrp map multicast dynamic

     ip nhrp network-id 78

     tunnel source Ethernet0/1.57

     tunnel mode gre multipoint

     tunnel key 78

    end

     

    R7#show run | s vrf

    vrf definition DMVPN

     rd 7:7

     !

     address-family ipv4

     exit-address-family



    R1#show run int tun17

    Building configuration...


    Current configuration : 330 bytes

    !

    interface Tunnel17

     vrf forwarding DMVPN

     ip address 156.192.17.1 255.255.255.0

     no ip redirects

     ip nhrp authentication PRIVATE

     ip nhrp map 156.192.17.7 156.1.57.7

     ip nhrp map multicast 156.1.57.7

     ip nhrp network-id 17

     ip nhrp nhs 156.192.17.7

     tunnel source Ethernet1/1.121

     tunnel mode gre multipoint

     tunnel key 17

    end




    R7#ping vrf DMVPN 156.192.17.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 156.192.17.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/6 ms

    R7#




    R7#ping vrf DMVPN 156.192.78.8

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 156.192.78.8, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 2/4/10 ms

    R7#






    R1#show run | s vrf

    vrf definition DMVPN

     rd 1:1

     !

     address-family ipv4

     exit-address-family




    R1#show ip cef vrf DMVPN 156.192.17.7 internal

    156.192.17.7/32, epoch 0, flags attached, refcount 5, per-destination sharing

      sources: Adj

      subblocks:

       Adj source: IP midchain out of Tunnel17, addr 156.192.17.7 051387E8

        Dependent covered prefix type adjfib, cover 156.192.17.0/24

      ifnums:

       Tunnel17(17): 156.192.17.7

      path 0455FB60, path list 02A26F64, share 1/1, type adjacency prefix, for IPv4

      attached to Tunnel17, adjacency IP midchain out of Tunnel17, addr 156.192.17.7 051387E8

      output chain: IP midchain out of Tunnel17, addr 156.192.17.7 051387E8 IP adj out of Ethernet1/1.121, addr 156.1.121.21 05138918

    R1#




    R1#ping vrf DMVPN 156.192.17.7

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 156.192.17.7, timeout is 2 seconds:

    ...





    R8#show run int tun78

    Building configuration...


    Current configuration : 329 bytes

    !

    interface Tunnel78

     vrf forwarding DMVPN

     ip address 156.192.78.8 255.255.255.0

     no ip redirects

     ip nhrp authentication PRIVATE

     ip nhrp map 156.192.78.7 156.1.57.7

     ip nhrp map multicast 156.1.57.7

     ip nhrp network-id 78

     ip nhrp nhs 156.192.78.7

     tunnel source Ethernet0/1.68

     tunnel mode gre multipoint

     tunnel key 78

    end




    R8#show run | s vrf

    vrf definition DMVPN

     rd 8:8

     !

     address-family ipv4




    Other pings



    R8#ping vrf DMVPN 156.192.78.7

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 156.192.78.7, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

    R8#




    FROM R1 toward R7:


    Debug at R1:



    R1#ping vrf DMVPN 156.192.17.7

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 156.192.17.7, timeout is 2 seconds:


    *Jun  9 20:36:51.785: IP: s=156.192.17.1 (local), d=156.192.17.7, len 100, local feature

    *Jun  9 20:36:51.785:     ICMP type=8, code=0, Logical MN local(14), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

    *Jun  9 20:36:51.785: FIBipv4-packet-proc: route packet from (local) src 156.192.17.1 dst 156.192.17.7

    *Jun  9 20:36:51.785: FIBfwd-proc: packet routed by adj to Tunnel17 156.192.17.7

    *Jun  9 20:36:51.785: FIBipv4-packet-proc: packet routing succeeded

    *Jun  9 20:36:51.785: IP: s=156.192.17.1 (local), d=156.192.17.7 (Tunnel17), len 100, sending

    *Jun  9 20:36:51.785:     ICMP type=8, code=0

    *Jun  9 20:36:51.785: IP: s=156.192.17.1 (local), d=156.192.17.7 (Tunnel17), len 100, sending full packet

    *Jun  9 20:36:51.785:     ICMP type=8, code=0

    *Jun  9 20:36:51.785: IP: s=156.1.121.1 (local), d=156.1.57.7, len 128, local feature, proto=47, Logical MN local(14), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

    *Jun  9 20:36:51.785: FIBipv4-packet-proc: route packet from (local) src 156.1.121.1 dst 156.1.57.7

    *Jun  9 20:36:51.785: FIBfwd-proc: packet routed by adj to Ethernet1/1.121 156.1.121.21

    *Jun  9 20:36:51.785: FIBipv4-packet-proc: packet routing succeeded

    *Jun  9 20:36:51.788: IP: s=156.1.121.1 (local), d=156.1.57.7 (Ethernet1/1.121), len 128, sending, proto=47

    *Jun  9 20:36:51.788: IP: s=156.1.121.1 (local), d=156.1.57.7 (Ethernet1/1.121), len 128, sending full packet, proto=47.

    Success rate is 0 percent (0/1)

    R1#



    Output debug at R7, regarding ping from R1 to R7



    R7#debug ip packet detail

    IP packet debugging is on (detailed)

    R7#

    *Jun  9 20:37:47.230: IP: s=156.1.121.1 (Ethernet0/1.57), d=156.1.57.7, len 128, input feature, proto=47, MCI Check(99), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

    *Jun  9 20:37:47.230: FIBipv4-packet-proc: route packet from Ethernet0/1.57 src 156.1.121.1 dst 156.1.57.7

    *Jun  9 20:37:47.230: FIBfwd-proc: Default:156.1.57.7/32 receive entry

    *Jun  9 20:37:47.230: FIBipv4-packet-proc: packet routing failed

    *Jun  9 20:37:47.230: IP: tableid=0, s=156.1.121.1 (Ethernet0/1.57), d=156.1.57.7 (Ethernet0/1.57), routed via RIB

    *Jun  9 20:37:47.230: IP: s=156.1.121.1 (Ethernet0/1.57), d=156.1.57.7 (Ethernet0/1.57), len 128, rcvd 3, proto=47

    *Jun  9 20:37:47.230: IP: s=156.1.121.1 (Ethernet0/1.57), d=156.1.57.7, len 128, stop process pak for forus packet, proto=47

    *Jun  9 20:37:47.230: IP: s=156.192.17.1 (Tunnel17), d=156.192.17.7, len 100, input feature

    *Jun  9 20:37:47.230:     ICMP type=8, code=0, MCI Check(99), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

    *Jun  9 20:37:47.230: FIBipv4-packet-proc: route packet from Tunnel17 src 156.192.17.1 dst 156.192.17.7

    *Jun  9 20:37:47.230: FIBfwd-proc: DMVPN:156.192.17.0/24 process level forwarding

    *Jun  9 20:37:47.230: FIBfwd-proc: depth 0 first_idx 0 paths 1 long 0(0)

    *Jun  9 20:37:47.230: FIBfwd-proc: try path 0 (of 1) v4-con-Tunnel17 first short ext 0(-1)

    *Jun  9 20:37:47.230: FIBfwd-proc: v4-con-Tunnel17 valid

    *Jun  9 20:37:47.230: FIBfwd-proc: Tunnel17 no nh type 2  - deag

    *Jun  9 20:37:47.230: FIBfwd-proc: ip_pak_table 1 ip_nh_table 65535 if Tunnel17 nh none deag 1 chg_if 0 via fib 0 path type connected prefix

    *Jun  9 20:37:47.230: FIBfwd-proc: packet routed to Tunnel17 p2p(1)

    *Jun  9 20:37:47.230: FIBipv4-packet-proc: packet routing succeeded

    *Jun  9 20:37:47.230: FIBfwd-proc: ip_pak_table 1 ip_nh_table 65535 if Tunnel17 nh none uhp 1 deag 0 ttlexp 0

    R7#

    *Jun  9 20:37:47.230: FIBfwd-proc: sending link IP ip_pak_table 1 ip_nh_table 65535 if Tunnel17 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0

    *Jun  9 20:37:47.230: IP: s=156.192.17.1 (Tunnel17), d=156.192.17.7 (Tunnel17), g=156.192.17.7, len 100, forward

    *Jun  9 20:37:47.231:     ICMP type=8, code=0

    *Jun  9 20:37:47.231: IP: s=156.192.17.1 (Tunnel17), d=156.192.17.7 (Tunnel17), len 100, encapsulation failed

    *Jun  9 20:37:47.231:     ICMP type=8, code=0

    R7#

    *Jun  9 20:37:49.251: IP: s=156.1.121.1 (Ethernet0/1.57), d=156.1.57.7, len 128, input feature, proto=47, MCI Check(99), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

    *Jun  9 20:37:49.251: FIBipv4-packet-proc: route packet from Ethernet0/1.57 src 156.1.121.1 dst 156.1.57.7

    *Jun  9 20:37:49.251: FIBfwd-proc: Default:156.1.57.7/32 receive entry

    *Jun  9 20:37:49.251: FIBipv4-packet-proc: packet routing failed

    *Jun  9 20:37:49.251: IP: tableid=0, s=156.1.121.1 (Ethernet0/1.57), d=156.1.57.7 (Ethernet0/1.57), routed via RIB

    *Jun  9 20:37:49.251: IP: s=156.1.121.1 (Ethernet0/1.57), d=156.1.57.7 (Ethernet0/1.57), len 128, rcvd 3, proto=47

    *Jun  9 20:37:49.251: IP: s=156.1.121.1 (Ethernet0/1.57), d=156.1.57.7, len 128, stop process pak for forus packet, proto=47

    *Jun  9 20:37:49.251: IP: s=156.192.17.1 (Tunnel17), d=156.192.17.7, len 100, input feature

    *Jun  9 20:37:49.251:     ICMP type=8, code=0, MCI Check(99), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

    *Jun  9 20:37:49.251: FIBipv4-packet-proc: route packet from Tunnel17 src 156.192.17.1 dst 156.192.17.7

    *Jun  9 20:37:49.251: FIBfwd-proc: DMVPN:156.192.17.0/24 process level forwarding

    *Jun  9 20:37:49.251: FIBfwd-proc: depth 0 first_idx 0 paths 1 long 0(0)

    *Jun  9 20:37:49.251: FIBfwd-proc: try path 0 (of 1) v4-con-Tunnel17 first short ext 0(-1)

    *Jun  9 20:37:49.251: FIBfwd-proc: v4-con-Tunnel17 valid

    *Jun  9 20:37:49.251: FIBfwd-proc: Tunnel17 no nh type 2  - deag

    *Jun  9 20:37:49.251: FIBfwd-proc: ip_pak_table 1 ip_nh_table 65535 if Tunnel17 nh none deag 1 chg_if 0 via fib 0 path type connected prefix

    *Jun  9 20:37:49.252: FIBfwd-proc: packet routed to Tunnel17 p2p(1)

    *Jun  9 20:37:49.252: FIBipv4-packet-proc: packet routing succeeded

    *Jun  9 20:37:49.252: FIBfwd-proc: ip_pak_table 1 ip_nh_table 65535 if Tunnel17 nh none uhp 1 deag 0 ttlexp 0

    R7#

    *Jun  9 20:37:49.252: FIBfwd-proc: sending link IP ip_pak_table 1 ip_nh_table 65535 if Tunnel17 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0

    *Jun  9 20:37:49.252: IP: s=156.192.17.1 (Tunnel17), d=156.192.17.7 (Tunnel17), g=156.192.17.7, len 100, forward

    *Jun  9 20:37:49.252:     ICMP type=8, code=0

    *Jun  9 20:37:49.252: IP: s=156.192.17.1 (Tunnel17), d=156.192.17.7 (Tunnel17), len 100, encapsulation failed

    *Jun  9 20:37:49.252:     ICMP type=8, code=0

    R7#u all

    All possible debugging has been turned off

    R7#





    R7#show ip ro

    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

           E1 - OSPF external type 1, E2 - OSPF external type 2

           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

           ia - IS-IS inter area, * - candidate default, U - per-user static route

           o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

           a - application route

           + - replicated route, % - next hop override


    Gateway of last resort is 156.1.57.5 to network 0.0.0.0


    S*    0.0.0.0/0 [1/0] via 156.1.57.5, Ethernet0/1.57

          7.0.0.0/32 is subnetted, 1 subnets

    C        7.7.7.7 is directly connected, Loopback0

          156.1.0.0/16 is variably subnetted, 2 subnets, 2 masks

    C        156.1.57.0/24 is directly connected, Ethernet0/1.57

    L        156.1.57.7/32 is directly connected, Ethernet0/1.57

          156.192.0.0/32 is subnetted, 1 subnets

    S        156.192.17.1 is directly connected, Tunnel17

    R7#





    R7#show ip route vrf DMVPN


    Routing Table: DMVPN

    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

           E1 - OSPF external type 1, E2 - OSPF external type 2

           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

           ia - IS-IS inter area, * - candidate default, U - per-user static route

           o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

           a - application route

           + - replicated route, % - next hop override


    Gateway of last resort is not set


          156.192.0.0/16 is variably subnetted, 4 subnets, 2 masks

    C        156.192.17.0/24 is directly connected, Tunnel17

    L        156.192.17.1/32 is directly connected, Tunnel17

    C        156.192.78.0/24 is directly connected, Tunnel78

    L        156.192.78.7/32 is directly connected, Tunnel78

    R7#




    Thanks.

     

  • and try to reload the hub router...

     

  • Thank you very much.

     

    I could fix it yesterday deleting and creating again all tunnel interfaces, but I´m going to be careful about these stuck and follow your advices.

     

     

    Best regards.

  • Lowering your NHRP registration timers can help also.

  • Did you apply cryptography to the tunnel?

    Did you used tbe "share" keyword at the end? (Tunnel protection ipsec profile XXXXX shared)

    First I tried without the shared keyword then the ipsec SA got crazy. Even shutting down the interface and removing the tunnel protection did not removed the SA. No traffic passed and 'show dmvpn' stuck in NHRP state.

    To get this working I applied the tunnel protection with shared and rebooted the IOU Hub router.

     

    But at the end every thing worked.

     

     

     

  • I can confirm. Removing and reapplying the tunnel interface solves the issue.

    Look at the nhrp entry while issue present and further down after the fix:

     

    R8#sh ip nhrp 

    156.192.78.7/32 via 156.192.78.7

       Tunnel78 created 03:35:49, never expire 

       Type: static, Flags: used 

       NBMA address: 156.1.57.7 

    156.192.78.7/32 (DMVPN)  <---------------????

       Tunnel78 created 00:00:12, expire 00:02:52

       Type: incomplete, Flags: negative 

       Cache hits: 5

     

    R8(config)#no int tu 78

    R8(config)#interface Tunnel78

    R8(config-if)# vrf forwarding DMVPN

    R8(config-if)# ip address 156.192.78.8 255.255.255.0

    R8(config-if)# no ip redirects

    R8(config-if)# ip nhrp map 156.192.78.7 156.1.57.7

    R8(config-if)# ip nhrp network-id 78

    R8(config-if)# ip nhrp nhs 156.192.78.7

    R8(config-if)# tunnel source Loopback0

    R8(config-if)# tunnel mode gre multipoint

    R8(config-if)# tunnel key 78

    R8(config-if)#

    R8(config-if)#end

     

    R8#ping vrf DMVPN 156.192.78.7

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 156.192.78.7, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

    R8#sh ip nh

    R8#sh ip nhrp 

    156.192.78.7/32 (DMVPN) via 156.192.78.7

       Tunnel78 created 00:00:06, never expire 

       Type: static, Flags: used 

       NBMA address: 156.1.57.7 

     

    R8#


     

Sign In or Register to comment.